Tag Archives: security

Elastix 1.5 and 1.6 security vulnerability

If you’re still using Elastix 1.5 or 1.6 (or earlier) then it is critically important that you ensure you are not open to this vulnerability –

http://secunia.com/advisories/41330/

This allows anyone to download a list of extensions and secrets from your Elastix server, no password required! They can then use this information to place expensive calls through your server.

To test if you are vulnerable visit the following URLs in a web browser, replacing the IP address with your Elastix server IP –

http://x.x.x.x/modules/extensions_batch/libs/download_csv.php
https://x.x.x.x/modules/extensions_batch/libs/download_csv.php

The easiest was to secure your server from this is to delete the affected file (this was done in later releases) –

rm /var/www/html/modules/extensions_batch/libs/download_csv.php

There are active scans on the Internet looking for vulnerable servers.

Asterisk/FreePBX dial plan injection vulnerability

There is an interesting discussion on the PBX-in-a-Flash forums here regarding an Asterisk security announcement.

If you write custom Asterisk contexts outside of FreePBX then you should read through how to do this securely. You should not be using wildcard pattern matching as this could be used to create channels in a manner not intended.

Also raised is the potential of a Asterisk/FreePBX system being compromised via the Asterisk Recording Interface (ARI). This is the web interface that allows you to view and manage voicemails. If you do not use this feature of FreePBX it is strongly recommended that you remove access to it. This can be done simply by running the following command as root on systems with standard configuration –

chmod 000 /var/www/html/recordings

This will prevent the ARI being accessible via a browser.

If you would like more information regarding Asterisk diaplan security please see the following resources –

http://www.asterisk.org/node/49906
http://downloads.asterisk.org/pub/security/AST-2010-002.html
http://svn.asterisk.org/svn/asterisk/trunk/README-SERIOUSLY.bestpractices.txt
http://www.freepbx.org/forum/freepbx/users/dial-plan-injection-vulnerability

Also, always use complex and difficult-to-guess passwords in all areas when setting up Asterisk/FreePBX

If you have a sysadminman VPS and would like the ARI interface disabling please raise a ticket via the helpdesk.

As always thanks to Ward Mundy and Joe Roper who make a great contribution to the Asterisk community.

FreePBX security update

A security update has been released for FreePBX versions 2.4, 2.5 and 2.6. Details of the update can be found here – http://freepbx.org/trac/ticket/366

While the updates are classified as low risk it is probably worth ensuring that your system is up to date.

Updates can be applied to FreePBX by going to Tools – Module Admin – Check for updates online – Upgrade All – Process

FBI / IC3 issue warning for Asterisk users

Last December the IC3 issued an alert for Asterisk users whch can be seen here.

This initially caused a panic amongst the developers as it wasn’t really clear what the alert was about. It turns out that it was for a vulnerability that was indentified and patched by Digum 9 months earlier. IC3 issued an updated buliten shortly after describing the issue a little better which can be seen here

I’m still seeing this alert being used to try and discourage people from using Asterisk but as far as I can see it’s just a normal security warning that was quickly identified and fixed by the software developer.

If you’d like to read more information there’s a good post here regarding this – http://blog.tmcnet.com/blog/tom-keating/asterisk/digium-responds-to-fbi-vhishing-security-warning-about-asterisk.asp and, as always, keep your software patched!

Using DISA with FreePBX and A2Billing

DISA is great!

It allows you to call in to your Asterisk server, get a dial tone, and then dial back out as if you were using a normal extension on your system. I use this lots to make cheap international calls from my mobile phone.

You may also wish to route your DISA calls via A2Billing. If you’ve integrated FreePBX and A2Billing as described here it’s a simple case of changing one setting on your DISA setup in FreePBX.

Continue reading

Hacking and securing your Asterisk server

I spent a little while playing with sipvicious today. This is a SIP scanner that can be used for scanning SIP servers – which obviousy includes Asterisk, Trixbox, Elastix, etc…

It’s not surpising that scanning for vulnerable SIP servers is on the increase – these sort of tools are really easy to use, and with the lure of making free phone calls at your expense it’s definitnely worth making sure that your PBX is secure.

Here’s what I did to scan one of my servers. The server is a Trixbox CE 2.6 server and I set up the following extensions for testing –

Continue reading